Securing Git repositories with gittuf

Even "just have somebody trusted sign off that a CI run happened" would be a vast improvement over the current situation. You can't store a local record of the things that Github runs or its artifacts (at least, not in an accessible and automated way), and Github's UX appears to drop this information after some time. Meanwhile for the tests that I run locally, I record these using some ad-hoc git-notes based thing that is hard to share with others and makes it very easy to lose track of records because I didn't take the time to create a principled append-only searchable global log out of it.

The result is that, when I receive a bug report about a branch that hasn't been updated in months (or years), and when I go to build it, I have no idea what compiler version or environment it was tested on, what suite of tests were run and at what time and by whom, etc etc.

Same for signoffs on merges. Here Github works pretty well, at least if you have some local mapping from commit IDs to pull request numbers, but it still makes me nervous that I need to trust Github to store a record of ACKs forever. (Maybe gerrit is sufficient to address this issue? I don't know because the value proposition hasn't been big enough for me to learn it it, let alone encourage my team members to follow.)

So without even touching on the trust/security aspect of things, this project is something I'm very interested in. Just to have an audit log about what happened to my project and when (at least, according to me or other people I trust).